dm-crypt/LUKS passphrase/keyfile length
I have a couple of dm-crypt/LUKS related questions.
Setting up dm-crypt/LUKS with these settings:
cryptsetup -c aes-xts-plain -h sha256 --key-size=256 -y luksFormat /dev/sda1
(1) Considering the key size specified is 256 bits, how many characters long should the passphrase be? And if for some reason the size may vary, why? And what is the recommended size?
When using a key file with these settings (or alternatively adding one to an available slot):
cryptsetup -c aes-xts-plain -h sha256 --key-size=256 luksFormat /dev/sda1 /path/to/key/file
(2) What size should the key file be? And again, if the size may vary, why, and what is recommended?
(3) What is the difference between --key-size=BITS and --keyfile-size=bytes?
I know one means "The size of the encryption key" and one "Limits the read from keyfile", but I don't understand the exact corelation between them.
(4) ...and between --keyfile-size=bytes and --new-keyfile-size=bytes?
I read the man page multiple times, and researched the Internet reading many different articles. These are just a couple of things that confuse me.
(1) Considering the key size specified is 256 bits, how many characters long should the passphrase be? And if for some reason the size may vary, why? And what is the recommended size?
It should be as long as you can reasonably remember and you are willing to type. It is run through a hash function, but it will stop reading after the first newline \n
. The hash function takes as much text as you give it, then gives a result.
The sha256 hash for the text superuser.com
is 6153a5e4835cfb92fa324bfce5470a0b8d554cadbf7a9fbe21be74460897e021
, and the hash for the entire body text of the first version of your question is f653459aa401efd1f058de5920cb25fe03bb969c90b001fd0f5282164c8b1afa
, notice how the output is the same length.
(2) What size should the key file be? And again, if the size may vary, why, and what is recommended?
Normally LUKS will only use the amount of data from the file that it actually needs. So you could use a 1GB file, and if your key-size=256 then it will only use the first 256 bits. So your keyfile should be at least as big as your key-size value, but it may be bigger. I tend to just create a 4096 byte keyfile by using a command like dd if=/dev/random of=/../mykeyfile bs=4096 count=1
. This gives you more data then you need, but it is still a relatively small file.
(3) What is the different between --key-size=BITS and --keyfile-size=bytes?
I am not sure which version of cryptsetup you are running, the keyfile-size option appears to be new. The note in the release notes seems to suggest that it is present to make LUKS read more data from the file then what you key-size value is.